Russia is suspected of having used computer attacks during its war with Georgia in 2008.
The following account of the attack on The Times — which is based on interviews with Times executives, reporters and security experts — provides a glimpse into one such spy campaign.
After The Times learned of warnings from Chinese state security agents that its investigation of the wealth of Wen's relatives would "have consequences," executives on October 24 asked AT&T, which monitors The Times' computer network, to watch for unusual activity.
On Oct. 25, the day the article was published online, AT&T informed The Times that it had noticed behaviour that was consistent with other attacks believed to have been perpetrated by the Chinese military.
The Times notified and voluntarily briefed the FBI on the attacks and then — not initially recognising the extent of the infiltration of its computers — worked with AT&T to track the attackers even as it tried to eliminate them from its systems.
But November 7, when it became clear that attackers were still inside its systems despite efforts to expel them, The Times hired Mandiant, which specialises in responding to security breaches. Since learning of the attacks, The Times — first with AT&T and then with Mandiant — has monitored attackers as they have moved around its systems.
Hacker teams regularly began work, for the most part, at 8 am Beijing time. Usually they continued for a standard work day, but sometimes the hacking persisted until midnight. Occasionally, the attacks stopped for two-week periods, Mandiant said, although the reason was not clear.
Investigators still do not know how hackers initially broke into The Times' systems. They suspect the hackers used a so-called spear-phishing attack, in which they send emails to employees that contain malicious links or attachments. All it takes is one click on the email by an employee for hackers to instal "remote access tools" — or RATs. Those tools can siphon off oceans of data — passwords, keystrokes, screen images, documents and, in some cases, recordings from computers' microphones and web cameras — and send the information back to the attackers' web servers.
Michael Higgins, chief security officer at The Times, said: "Attackers no longer go after our firewall. They go after individuals. They send a malicious piece of code to your email account and you're opening it and letting them in."
Lying in wait
Once hackers get in, it can be hard to get them out. In the case of a 2011 breach at the US Chamber of Commerce, for instance, the trade group worked closely with the FBI to seal its systems, according to chamber employees. But months later, the chamber discovered that internet-connected devices — a thermostat in one of its corporate apartments and a printer in its offices — were still communicating with computers in China.
Sign up for CIO Asia eNewsletters.